#190 SIP 407 response rejected with invalid message signature

1.15.x
closed-fixed
Stefan Becker
None
Pidgin
5
2013-04-08
2013-04-04
No

Connecting to Office Communicator server via SOCKS5 proxy, I get error message "invalid message signature received".

Pidgin 2.10.7 (Windows 32-bit)
Pidgin-SIPE 1.15.0

Proxy is OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013 (Cygwin)

It's unclear to me if this is related to the NSS issue or not.

1 Attachments

Related

Release Notes: 2013/04/pidgin-sipe-release-1151----bug-fixes-i

Discussion

1 2 > >> (Page 1 of 2)
  • Stefan Becker
    Stefan Becker
    2013-04-04

    I don't think this has anything to do with SOCKS5. If SOCKS5 wouldn't be 100% transparent then nothing would work.

    But your log shows something I myself have never seen before, a 407 response to an INVITE:

    ------------- NEXT MESSAGE: outgoing SIP at 2013-04-04T18:15:32.089107Z
    INVITE sip:ocschat@wal-mart.com SIP/2.0
    ...
    ------------- NEXT MESSAGE: incoming SIP at 2013-04-04T18:15:33.006159Z
    SIP/2.0 100 Trying
    ...
    ------------- NEXT MESSAGE: incoming SIP at 2013-04-04T18:15:33.007159Z
    SIP/2.0 407 Proxy Authentication Required
    Authentication-Info: NTLM rspauth="010000001C8EB3006909FF51EE74CEB8", srand="DA9C460C", snum="7", opaque="F5EC6020", qop="auth", targetname="HONTS3309B.homeoffice.Wal-Mart.com", realm="SIP Communications Service"
    ...
    Proxy-Authenticate: Digest realm="videovcsn.wal-mart.com", nonce="e1ba9ab56367978e43bc64ebcee0369d5a515818880fcb7e4f8538d3680a", opaque="AQAAAEqoMR5R/SB4Celoz84hQr4hMqAa", stale=FALSE, algorithm=MD5, qop="auth"
    ....
    (19:15:33) sipe: sip_sec_verify_signature: message is:<Digest><><><videovcsn.wal-mart.com><><5F4Cg30B0a1BE1i4130m3523t461Db0141x304Fx><1><INVITE><sip:bssmit0@wal-mart.com><1301214677><sip:ocschat@wal-mart.com><7eb3c8d1ed425f30><><><><407> signature to verify is:010000001C8EB3006909FF51EE74CEB8
    (19:15:33) sipe: SSPI ERROR [-2146893041] in sip_sec_verify_signature__sspi: VerifySignature: The message or signature supplied for verification has been altered
    

    I know there is code to handle response 407, but I've never seen it exercised and don't know if it ever worked or just got broken.

    The thing I definitely know is that there is no code to handle "Digest" authentication, because I removed it 2 years ago (commit b75c568fe05a). I guess I will have to re-add again before this will work for you. But this will not happen in 1.15.x time frame.

    But I also see a bug triggered in sipe-sign.c. There are two different authentication headers in the 407 message and it picks the wrong one for the message signature calculation. I could provide a patch for that. Can you fetch code from git HEAD, compile it and would be able to test a fix?

     
  • There are two different authentication headers in the 407 message and it
    picks the wrong one for the message signature
    calculation. I could provide a patch for that. Can you fetch code from
    git HEAD, compile it and would be able to test a fix?
    What are the steps to compile and what tools do I need? A link is a fine
    answer, but is
    http://sourceforge.net/apps/mediawiki/sipe/index.php?title=Windows_Build
    correct?

    I'm comfortable with git, so that's not an issue. The rest of it, I've
    probably not done before.

    --
    Boyd Stephen Smith Jr.
    Boyd Smith Jr/US/Toshiba GCS/IDE
    smithboy@us.ibm.com

     
    • Stefan Becker
      Stefan Becker
      2013-04-04

      If you have a Linux box then Windows cross-compilation is easy:

      1. how to get the code
      2. read the file contrib/mingw-cross-compile/README.txt in the source code tree
       
  • Stefan Becker
    Stefan Becker
    2013-04-04

    As a temporary workaround this might work for you: go to the Advanced tab of the account setting and set the field Group Chat Proxy to does.not.exist@walmart.com. As the user doesn't exist the INVITE should simply fail and so bypass the issue.

    This assumes that no other INVITE will trigger a 407 response from the server.

     
  • Stefan Becker
    Stefan Becker
    2013-04-04

    • summary: invalid message signature received --> 407 reponse rejected with invalid message signature
     
  • Stefan Becker
    Stefan Becker
    2013-04-04

    • summary: 407 reponse rejected with invalid message signature --> SIP 407 response rejected with invalid message signature
     
  • Stefan Becker
    Stefan Becker
    2013-04-04

    commit 786dd9c should fix the "invalid message signature received" connection drop.

    As the Digest algorithm isn't implemented you will probably see in the log about 30 ->INVITE / <-407 pairs but it should no longer drop the connection.

    Let's hope that Proxy-Authentication isn't needed when you want to talk to other users.

     
  • "Stefan Becker" stefanb2@users.sf.net wrote on 2013-04-04 15:19:34:

    As a temporary workaround this might work for you: go to the Advanced
    tab
    of the account setting and set the field Group Chat Proxy to
    does.not.exist@walmart.com. As the user doesn't exist the INVITE should
    simply fail and so bypass the issue.
    This assumes that no other INVITE will trigger a 407 response from the
    server.

    Sorry, even with this set, I still get a 407 in response to the INVITE,
    not a failure. I doubt it will be helpful, but I've attached (part of)
    debug.log captured with the work-around in place.

    --
    Boyd Stephen Smith Jr.
    Boyd Smith Jr/US/Toshiba GCS/IDE
    smithboy@us.ibm.com

     
    • Stefan Becker
      Stefan Becker
      2013-04-05

      Sorry, maybe I'm blind, but I don't see the new attachment...

       
      • Stefan Becker
        Stefan Becker
        2013-04-05

        It looks like that attachment on REPLIES are currently broken. Please don't use Reply but the message box at the bottom when you want to have a message with attachement.

         
    • Promised attachment that was stripped when I responded via email.

       
  • "Stefan Becker" stefanb2@users.sf.net wrote on 2013-04-04 15:23:14:

    If you have a Linux box then Windows cross-compilation is easy:
    1. how to get the code
    2. read the file contrib/mingw-cross-compile/README.txt in the source
    code tree

    "Stefan Becker" stefanb2@users.sf.net wrote on 2013-04-04 15:51:52:

    commit 786dd9c should fix the "invalid message signature received"
    connection drop.

    I tried cross compiling from the Debian Sid virtual machine, following
    said instructions.

    Unfortunately, the step that starts on line 74 fails on the last (or
    nearly last) make step. I don't seem to be able to copy-and-paste from
    the VM right now, so I don't have the exact error message, but it doing
    the final linking step (/usr/bin/i586-mingw32msvc-cc -shared ... -o
    libsipe.dll) and complains that __stack_chk_fail is defined in both
    libssp.a and libpurple.dll.a

    I removed -lpidgin from the command-line and it failed.
    I removed -lssp from the command-line and it succeeded! Any hints on how
    to modify the makefile so that others don't encounter the error?

    Unfortunately vmware-tools is giving me pains trying to share data so I
    wasn't able to test.
    --
    Boyd Stephen Smith Jr.
    Boyd Smith Jr/US/Toshiba GCS/IDE
    smithboy@us.ibm.com

     
    • Stefan Becker
      Stefan Becker
      2013-04-05

      I removed -lssp from the command-line and it succeeded!

      This library is not added by SIPE, it stems from the Pidgin Windows build:

      libpurple/win32/global.mak:DLL_LD_FLAGS += -Wl,--enable-auto-image-base -Wl,--enable-auto-import $(LD_HARDENING_OPTIONS) -lssp
      pidgin/Makefile.mingw:LDFLAGS := $(WINAPP) $(LD_HARDENING_OPTIONS) -Wl,--enable-auto-import -lssp
      

      Maybe your mingw GCC is too old. I'm using Fedora 18 myself.

       
      • 4.2.1.dfsg-2 is what I am using. I cross compiled from my home box (Debian Wheezy, same mingw32 version) and got the same error, so I just dropped the -lssp from libpurple/win32/global.mak.

         
    • I tried to test, but the .dll I built does not seem to work. It is found as part of pidgin startup, and then probed, but it "is not loadable" because "The specified procedure could not be found."

      I'm guessing something is wrong with my build, but I don't know what it could be.

       
  • Trying again with attachment.

     
    Attachments
    • Stefan Becker
      Stefan Becker
      2013-04-05

      OK, thanks for trying. I'm getting the feeling that in your installation any INVITE will trigger a Proxy response. No idea why, I have never seen such installation.

      Please retry with the provided commit if this gets any better. If not then we'll have to debug this further for 1.16.0 release.

       
  • Stefan Becker
    Stefan Becker
    2013-04-06

    Please try the attached version I compiled yesterday. It was using my standard release build environment with Windows Pidgin 2.10.7.

    I this also doesn't work for you can you then maybe switch to Pidgin on your Linux box?

     
    Attachments
    • Seems to work for me. It will get more thorough testing during the week. Is there anything in particular you'd like me to confirm works / does not work? Would you like a debug.log of anything, or just an example of success on this setup?

      Thanks a lot!

       
      • Stefan Becker
        Stefan Becker
        2013-04-07

        So with this version you can connect and leave the char group proxy entry empty?

        Can you provide a --debug log, e.g. by running Pidgin until it shows "Available" and then stop it? Thanks.

         
  • On Saturday, April 06, 2013 11:52:37 you wrote:

    Please try the attached version I compiled yesterday. It was using my
    standard release build environment with Windows Pidgin 2.10.7.

    Will do, likely later today.

    I this also doesn't work for you can you then maybe switch to Pidgin on your
    Linux box?

    Unfortunately, my home Linux system is not availble to use for work purposes.

    It should be possible to replace MS Windows with Linux on my work system, but
    I'd also like a solution for co-workers that are more comfortable in MS
    Windows.
    --
    Boyd Stephen Smith Jr. ,= ,--. =.
    bss@iguanasuicide.net ((
    /)o o(_))
    ICQ: 514984 YM/AIM: DaTwinkDaddy -'(. .)-'
    http://iguanasuicide.net/ _/

     
    • Stefan Becker
      Stefan Becker
      2013-04-06

      It should be possible to replace MS Windows with Linux on my work system, but I'd also like a solution for co-workers that are more comfortable in MS Windows.

      I meant only for our debugging purposes, not for the final result.

      Is it possible to run a virtual machine on your Windows system? Then you don't need to replace Windows, but simply run Linux in a VM on Windows to run Pidgin. If you install Fedora 18 in the VM, then I guess that your Windows cross-compilation problems would probably also go away.

       
  • Attaching debug.log showing good results from recent build, as requested.

     
    Attachments
  • Stefan Becker
    Stefan Becker
    2013-04-08

    • status: open --> closed-fixed
    • assigned_to: Stefan Becker
     
  • Stefan Becker
    Stefan Becker
    2013-04-08

    OK, the log shows that your primary problem is solved: the signature of the 407 response is now correctly processed and no longer leads to a drop of the connection. Good, I will close this bug.

    The log doesn't answer the next question: are you actually able to IM with anyone? If what I see for user ocschat is happening for any peer then you'll not be happy at all with SIPE, because you can't talk to anybody :-)

    Reason is that the processing of the 407 response is still incorrect:

    ------------- NEXT MESSAGE: outgoing SIP at 2013-04-08T13:43:12.155482Z
    INVITE sip:ocschat@wal-mart.com SIP/2.0
    ...
    Proxy-Authorization: (null) qop="auth", opaque="AQAAAEqoMR5R/SB4Celoz84hQr4hMqAa", ...
    Authorization: NTLM qop="auth", opaque="B9570321", ...
    

    The Proxy-Authorization should not be (null) but Digest in your case.

    Please take this latest log, create a new feature request ticket with the topic "implement Digest authentication scheme for SIP Proxy Authentication" and attach it there. This is just to make sure that this doesn't get forgotten somehow, OK?

     
1 2 > >> (Page 1 of 2)